RFR: 8013527: calling MethodHandles.lookup on itself leads to errors

Mandy Chung mchung at openjdk.java.net
Wed Feb 3 17:27:41 UTC 2021


On Wed, 3 Feb 2021 17:20:40 GMT, Mandy Chung <mchung at openjdk.org> wrote:

>> src/java.base/share/classes/java/lang/invoke/MethodHandleImpl.java line 1205:
>> 
>>> 1203:             Class<?> invokerClass = new Lookup(targetClass)
>>> 1204:                     .makeHiddenClassDefiner(name, INJECTED_INVOKER_TEMPLATE, Set.of(NESTMATE))
>>> 1205:                     .defineClass(true, targetClass);
>> 
>> Using the target class directly could lead to some unintended problems.
>> 
>> An attacker can define it's own hidden class as nestmate and with a name ending in `$$InjectedInvoker`.  
>> This allows the attacker to "teleport" into a nestmate with full privileges.  
>> An attacker could then access `MethodHandles.classData`.
>> 
>> Suggested remedy: Create a holder that is only visible to `java.lang.invoke`:
>> 
>> /* package-private */ static class OriginalCallerHolder {
>>     final Class<?> originalCaller;
>>     OriginalCallerHolder(Class<?> originalCaller) {
>>         this.originalCaller = originalCaller;
>>     }
>> }
>> 
>> As this type is only visible inside `java.lang.invoke`, it can't be created without hacking into `java.lang.invoke`, at which point all bets are off anyway.
>> 
>> (A previous commit was even more dangerous, as you can force `jlr.Proxy` to inject a class into your package with a `null`-PD)
>
> Only `Lookup` with the original access can access `MethodHandles.classData`.   A hidden class `HC$$InjectedInvoker/0x1234` can access private members of another class `C` in the same nest but not `C`'s class data.
> 
> I don't follow which previous commit you refer to more dangerous.  Please elaborate.   I don't see any security concern with class data.

Last night, I had a second thought that the fix for these two JBS issues does not need the class data.  It's more for a future use.  I plan to revise it and drop class data in this fix anyway.

-------------

PR: https://git.openjdk.java.net/jdk/pull/2367


More information about the core-libs-dev mailing list